In June of 2015, Dimensional Research conducted a survey for Tripwire of over 400 energy executives and IT professionals in the energy, oil, gas and utility industries on cybersecurity and compliance initiatives. The survey found that 86 percent of energy security personnel believed they could detect a breach on critical systems in less than one week. This timeframe widely disagrees with Mandiant’s M-Trends 2015 report and the 2015 Data Breach Investigations Report, both of which found that security professionals in the energy industry usually take months to detect an attack against their networks.
The June survey clearly shows that IT personnel were confident in their ability to detect an incident.
Some months later, it would now appear that security professionals have adopted a soberer appreciation of the risks at hand.
Tripwire has announced the results of another study conducted for Tripwire by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The newest study, which was carried out in November 2015, surveyed over 150 IT professionals in the energy, utilities, and oil and gas industries.
As revealed in Tripwire’s study, some 82 percent of respondents reported that an attack on the operational technology (OT) in their organization could potentially cause physical damage. This finding is generally consistent with June’s study, when 83 percent of respondents affirmed the same belief with regards to their organization’s infrastructure. However, in the newest survey, 100 percent of executives now feel recognize the threat against OT, which is up from 94 percent back in June.
The study also reveals that three quarters of respondents feel that their organization is a target for an attack that could cause physical damage (78 percent). Approximately the same number (76 percent) feel that a nation-state actor could threaten them with such an offensive.
However, when asked whether their organization has the ability to actively track all of the threats confronting their OT networks, only 35 percent said “yes”, with others citing the sheer number of threats, a lack of network visibility, and departmental compartmentalization as reasons why they said “no” or stated they weren’t sure.
This is a concerning number, especially considering the damage BlackEnergy malware alone has wrought against Ukrainian power companies and airports in recent weeks.
“We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed,” said Tim Erlin, Director, Security and IT risk strategist at Tripwire. “There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today.”
If anything, this risk is getting worse. According to the Department of Homeland Security, the energy sector faces more cyber attacks than any other industry, and attacks on industrial control system networks are on the rise.
Fortunately, there is hope.
“While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyber attacks,” explains Erlin.
To learn more about how Tripwire can aid your energy organization in threat detection, please click here.
Title image courtesy of ShutterStock